EUCommission still
seeking proof of the necessity of mandatory data retention20.1.12

"all Member
States - not just a minority - need to provide convincing evidence
of the value of data retention for security and criminal justice"
In December 2010, the European Commission organised a workshop
on the proposed reform of the Data Retention Directive. In a
speech to the conference, the European Data Protection Supervisor
made clear that:

"At the moment,
the Directive is only based on the assumption that it constitutes
a necessary and proportionate measure. However, the time has
come to actually provide sufficient evidence of this.

"Without such
evidence, the Data Retention Directive should be withdrawn or
replaced by a more targeted and less intrusive instrument which
does meet the requirement of necessity and proportionality."
[1]

A recent note from the
Commission to the Working Party on Data Protection and Information
Exchange [2] raises questions over what sort of evidence will
be used to provide justification for the reform of the Directive,
and whether that reform will be able to satisfy the demands of
data protection authorities and privacy advocates.

Quantitative versus
qualitative

The Commission states
that "all Member States - not just a minority - need
to provide convincing evidence of the value of data retention
for security and criminal justice." This is considered
necessary to address the "continued perception that there
is little evidence at an EU and national level on the value of
data retention in terms of public security and criminal justice,
nor of what alternatives have been considered."

So far, only 11 of 27
Member States have provided evidence of the importance of retained
data in cases of terrorism, serious crime, or telecommunications
crime - and this was qualitative, rather than quantitative data.
This is despite the Commission having had over a year to obtain
further evidence from the Member States of the necessity of the
retention measures.

Substantial quantitative
data would best serve the interests of the Commission and the
Member States who are insistent upon keeping the Directive. Yet
further attempts to prove the necessity of retention seem likely
to come in qualitative form (eg: selected high-profile examles).
It was stressed by some delegations at a May 2011 meeting of
the Working Party on Data Protection and Information Exchange
that the necessity of data retention:

"[C]ould not be
argued on the basis of statistical data the gravity of
the offences investigated thanks to traffic data, rather than
the mere number of cases in which traffic data were used should
receive due attention. Quantitative analysis should be complemented
with qualitative assessment." [3]

The use of qualitative
evidence has of course been used before in attempts to justify
privacy-intrusive measures. The impact assessment accompanying
the proposal for a Directive on the use of Passenger Name
Record data for the prevention, detection, investigation and
prosecution of terrorist offences and serious crime contains
a series of anecdotes intended to prove the necessity of states
storing and processing PNR data, with no statistics to back them
up. [4]

A 2010 study by the German
Federal Crime Agency into data retention, which did use quantitative
evidence, found that data retention was "ineffective"
and led to an overall decrease in crime clearance rates. [5]

There seems to be an ongoing
problem with the collection and use of statistics when it comes
to EU legislation and computer systems intended to ease the work
of law enforcement authorities. A study completed in December
2010 on cross-border information exchange found that Member States
could not answer many questions put to them "due to the
lack of (comparable) statistics". Those undertaking the
study found that "there were widespread gaps in the quantitative
statistics available". [6]

The Commission versus
the courts

The German Federal Crime
Agency's 2010 study took place before a challenge to the law
reached the country's Constitutional Court. In March 2010 the
Court suspended the German transposition of the Directive, arguing
that "such retention represents an especially grave intrusion"
into individual privacy. [7]

There have also been legal
challenges to the provisions in Bulgaria, Sweden, the Czech Republic
and Ireland. [8] In late October, the Commission formally requested
that Germany and Romania transpose the Directive into national
legislation. [9] Romania's Senate has rejected a new draft law,
[10] while in Germany a government spokesman has stated that
"a reasonable compromise to present a stable constitutional
solution" is being prepared. [11]

Despite these problems,
the Commission is insistent that retention must continue. Indeed,
it may well be that the reformed Directive, currently planned
for July 2012, will have an even wider scope than the current
legislation.

Privacy versus policing

The "unclear definitions
in the DRD have encouraged heterogeneous interpretations"
of the scope of the legislation, and "this can result
in frustration for law enforcement". For example:

"Instant messaging,
chat, uploads and downloads (but not anonymous SIM cards) are
types of data held by information society services which is almost
identical to traffic data but which is outside the scope of the
DRD. There is no standard EU approach to accessing this data,
so some law enforcement find it very difficult to get this data
on time for their investigations."

Reform of the DRD is just
one of a series of measures in the coming year that look set
to extend the ability of law enforcement authorities to access
the personal data of individuals. The Commission is due to issue
a Communication on enhancing the traceability of users of
pre-paid communication services for law enforcement purposes
(almost certainly intended to deal with the ongoing 'problem'
of anonymous SIM cards), as well as a Green paper on commercial
information relevant to law enforcement and information exchange
models.

At the same time, discussions
are ongoing within the Commission on the proposed Police and
criminal justice data protection directive, intended to replace
the provisions of the highly-criticised Framework Decision
on the protection of personal data processed in the framework
of police and judicial cooperation in criminal matters.

"Data retention
is here to stay"

An ongoing campaign by
data protection authorities and civil society organisations has
attempted to have the Data Retention Directive either severely
amended or repealed altogether. However, it seems that the statement
of Commissioner Malmström in a December 2010 speech to a
consultation workshop on the Directive remains true: "data
retention is here to stay". [12]

&COPY; Statewatch ISSN 1756-851X.
Personal usage as private individuals/"fair dealing"
is allowed. We also welcome links to material on our site. Usage
by those working for organisations is allowed only if the organisation
holds an appropriate licence from the relevant reprographic rights
organisation (eg: Copyright Licensing Agency in the UK) with
such usage being subject to the terms and conditions of that
licence and to local copyright law.